Plundervolt
Introduction
Modern processors are being pushed to perform faster than ever before - and with
this comes increases in heat and power consumption. To manage this, many chip
manufacturers allow frequency and voltage to be adjusted as and when needed. But
more than that, they offer the user the opportunity to modify the frequency and
voltage through priviledged software interfaces. With Plundervolt we showed that
these software interfaces can be exploited to undermine the system's security.
We were able to corrupt the integrity of Intel SGX on Intel Core processors by
controling the voltage when executing enclave computations. This means that even
Intel SGX's memory encryption/authentication technology cannot protect against
Plundervolt.
Videos
Questions
Who reported this?
Pundervolt was first reported on June 7, 2019 by a group of international
researchers:
Kit Murdock, David Oswald, Flavio D Garcia (The University of
Birmingham)
Jo Van Bulck, Frank Piessens (imec-DistriNet, KU Leuven)
Daniel Gruss (Graz University of Technology)
Before that, Navjivan Pal looked at the potential of using undervolting for
faulting (non-SGX) computations within his final year project at the University
of Birmingham under supervision of David Oswald.
We have also been informed by Intel that other researchers reported a similar issue after our initial disclosure to Intel on 7 June 2019. We currently do not know who these researchers are, but there might be reports for a similar attack under a different name. Intel has confirmed that we were the first group to report this issue.
What is Intel SGX?
Intel Software Guard Extensions (SGX) is a set of security-related instruction
codes that are built into modern Intel CPUs. SGX allows to shield sensitive
computations inside so-called "enclaves". The contents of these enclaves are
protected and cannot be accessed or modified from outside the enclave. This
includes an attacker who has root privileges in the normal (untrusted) operating
system.
Does this attack affect only SGX, or also other applications
on Intel processors?
Plundervolt is a similar class of Undervolting attacks like CLKScrew and
VoltJockey executed on SGX enclaves. This is because the undervolting interface
is only accessible with root privileges in the untrusted operating system - it
would not make sense to attack software with undervolting when you're already
root, apart from the case of SGX (which should protect against a root attacker).
We also reviewed common hypervisors and virtual machine software, and found that
the guest OS cannot access the undervolting interface (which otherwise would
allow an attack on the host OS).
Does an attacker need physical access to my computer for this?
No. The undervolting interface is accessible from software, so if a remote
attacker can become root in the untrusted OS, she can also mount the Plundervolt
attack. In any case, note that attackers with physical access would also be in
the threat model of SGX (e.g. to protect against malicious cloud providers).
What should affected user do?
If you do not use SGX, you do not need to do anything. If you do use SGX: Intel
has released a microcode update that - together with a BIOS update - allows
disabling of the undervolting interface. The fact that undervolting is disabled
will be reflected in remote attestation. More information can be found in
Intel's security advisory.
Should I worry about Plundervolt if my enclave does not
perform cryptographic operations?
Yes. In addition to the extraction of cryptographic keys, Plundervolt can also
cause memory safety misbehaviour in certain scenarios. Specifically, we show
that out-of-bounds accesses may arise when an attacker faults multiplications
emitted by the compiler for array element indices or pointer arithmetic.
Plundervolt can break the processor's integrity guarantees, even for securely
written code. In the paper, we show that Plundervolt may affect SGX's
attestation functionality, undermining the building blocks that underpin the
security of Intel's SGX ecosystem.
How have Intel responded?
Intel responded quickly after we started the responsible disclosure process on 7
June 2019. Since then, Intel has discussed the issue with us and kept us
informed of their timeline. Intel provides more information about TCB recovery
and attestation on their website.
Is there proof-of-concept code?
Yes, check our Plundervolt Github repository.
Is there a CVE?
Yes. CVE-2019-11157.
Where can I find the paper?
Here: Plundervolt: Software-based Fault Injection Attacks against Intel SGX
Is this the same as Rowhammer?
No. RowHammer allows an attacker to flip bits in memory, but this does not work
for SGX-protected memory. This is because SGX cryptographically ensures that
physical memory is not changed outside the SGX environment. Plundervolt flips
bits inside the CPU, before they are written to memory, and hence is not
prevented by SGX's memory protection.
Is this related to the CLKScrew or VoltJockey attacks?
Yes and no. CLKScrew and VoltJockey target ARM processors and ARM Trustzone,
while we attack on Intel SGX. However, Plundervolt and CLKScrew/VoltJockey are
similar in that they use a privileged power/clock management feature to inject
faults into a trusted execution environment. Besides, with Plundervolt we show
that fault injection can achieve more than extracting cryptographic keys: we
show that faults can be used to maliciously change the data flow in programs
that do not use cryptography at all.
How is this related to speculative execution attacks like
Spectre or Foreshadow?
Speculative execution attacks like Foreshadow or Spectre allow to read data from
SGX enclave memory (i.e. attacks the confidentiality). Plundervolt achieves the
complementary operation, namely changing values in SGX-protected memory (i.e.
attacks the integrity).
Why is it called Plundervolt?
The dictionary definition of plunder: ˈplən-dər To steal or remove something
precious from something, in a way that does not consider moral laws.
Should I now throw away my CPU or stop using SGX altogether?
No, definitely not. If you are not using SGX, no actions are required. If you
are using SGX, it suffices to apply the microcode update provided by Intel to
mitigate Plundervolt.